Re: problem matching realms - for local auth not proxy

2009-04-03 Thread Alan DeKok 
Seamus Bridgeman wrote:
> We have a need to use dbm file given our volumes and migration from
> current dbm based Radius.

  In 2.x, the "users" file is put into an internal hash.  So it's just
as fast (if not faster) than DBM files.

  I've tested it reading 10's of 1000's of entries in the "users" file
in less than a second.  So unless you have 100's of 1000's of entries in
the "users" file, the DBM overhead is unnecessary.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem matching realms - for local auth not proxy

2009-04-03 Thread Seamus Bridgeman 
Fair enough Alan. Reprimand warranted and accepted. We removed proxy
settings but naturally need this to
match realms in proxy.conf which solved our problem

Take your point on controlled iterative changes to default settings in
radiusd.conf and not butchering!
Just getting familiar with changes post 2.0.0 (virtual servers with
authorise{} etc ).

We have a need to use dbm file given our volumes and migration from current
dbm based Radius.

thanks again for help/advice.

2009/4/1 Alan DeKok 

> Seamus Bridgeman wrote:
> > Using freeradius2.1.3 for seperate Auth and Acct servers in DSL/PPPoE
> > n/w. Using CHAP auth only and lookup via dbm file with users.txt
> fallback.
> > Can successfully authenticate/authorise against specific user profiles
> > in users dbm/txt but problems when trying to match realms.
>
>   Why are you using the DBM files?
>
> > We are not proxying to remote servers but do local auth on matching
> > realms. Am I missing some step/module which imports the proxy.conf
> > file - or the order of modules in authorise{} This issue occurs
> > regardless dbm or files based lookup and in realms module.
>
>   No.  The default configuration loads the proxy.conf file.
>
> > If I remove proxy.conf radius does not complain.
>
>   Because it's not required in all configurations.
>
> > Added to dbm file:
> > /usr/local/freeradius/bin/rlm_dbm_cat -f
>
>   Don't use rlm_dbm.  Just use the normal "users" file.  It works, and
> it's fast.
>
> > [3] radiusd.conf includes reference to realm module and includes in
> > authorise {} section. Also not including policy.conf which denies realms
> > by default.
>
>   No, it doesn't.  As the comments in that file should make clear, those
> are SAMPLE policies.  They aren't used until you tell the server to use
> them.
>
> > authorize {
> ...
> > }
>
>  Great.  You've completely butchered the "authorize" section, and
> removed all references to the "realms" module.
>
>  Can you explain WHY you did this?  What documentation led you to
> conclude that deleting the majority of that section was a good idea?
>
>  The recommendation here is simple:
>
>DO NOT BUTCHER THE DEFAULT INSTALL
>
>  The default installation WORKS.  If you had simple added a realm, and
> added entries in the "users" file... it would have WORKED.
>
>  Instead, you spent a great deal of effort editing the configuration,
> breaking it, and then trying to debug it.  Almost all of that work was
> wasted.
>
>   The default installation works.  Don't butcher it.  Read "man
> radiusd" for instructions on how to edit the configuration without
> breaking it.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem matching realms - for local auth not proxy

2009-04-01 Thread Alan DeKok 
Seamus Bridgeman wrote:
> Using freeradius2.1.3 for seperate Auth and Acct servers in DSL/PPPoE
> n/w. Using CHAP auth only and lookup via dbm file with users.txt fallback.
> Can successfully authenticate/authorise against specific user profiles
> in users dbm/txt but problems when trying to match realms.

  Why are you using the DBM files?

> We are not proxying to remote servers but do local auth on matching
> realms. Am I missing some step/module which imports the proxy.conf
> file - or the order of modules in authorise{} This issue occurs
> regardless dbm or files based lookup and in realms module.

  No.  The default configuration loads the proxy.conf file.

> If I remove proxy.conf radius does not complain.

  Because it's not required in all configurations.

> Added to dbm file:
> /usr/local/freeradius/bin/rlm_dbm_cat -f

  Don't use rlm_dbm.  Just use the normal "users" file.  It works, and
it's fast.

> [3] radiusd.conf includes reference to realm module and includes in
> authorise {} section. Also not including policy.conf which denies realms
> by default.

  No, it doesn't.  As the comments in that file should make clear, those
are SAMPLE policies.  They aren't used until you tell the server to use
them.

> authorize {
...
> }

  Great.  You've completely butchered the "authorize" section, and
removed all references to the "realms" module.

  Can you explain WHY you did this?  What documentation led you to
conclude that deleting the majority of that section was a good idea?

  The recommendation here is simple:

DO NOT BUTCHER THE DEFAULT INSTALL

  The default installation WORKS.  If you had simple added a realm, and
added entries in the "users" file... it would have WORKED.

  Instead, you spent a great deal of effort editing the configuration,
breaking it, and then trying to debug it.  Almost all of that work was
wasted.

   The default installation works.  Don't butcher it.  Read "man
radiusd" for instructions on how to edit the configuration without
breaking it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html